VMware Security Briefing Dan Watson, Senior Systems Engineer, VMware VMUG, Edinburgh, Feb 24, 2011 Confidential © 2010 VMware Inc. All rights reserved 2010 Milestone: Virtualization is Now De Facto Model VM Cross Over 17,500,000 15,000,000 12,500,000 10,000,000 84% of all virtualized applications in the world run on VMware. 7,500,000 Gartner, December 2009 5,000,000 2,500,000 2005 2006 2007 2008 2009 Physical Hosts Source: IDC 2 2010 2011 2012 Virtual Machines We are past a virtual tipping point! Confidential 2013 Virtualization Paves the Way to a New Era in IT Virtualization Cloud Web PC / Client-Server Mainframe Cloud Computing will transform the delivery and consumption of IT services 3 Confidential Security Journey to the Private and Hybrid Clouds FUTURE HYPE REALITY “Air Gapped” Pods 4 Mixed Trust Hosts Confidential Secure PublicHybrid Cloud Cloud ENTERPRISE DATA CENTER SECURITY & NETWORKING TODAY - Desktop A/V Agents - DLP, FIM, white listing Users Backend Services View Web Sites DMZ vSphere - DMZ firewall, NAT, IPAM, VR - Site and user VPNs - Web load balancers 5 - Network Segmentation, Firewalls, IDS/IPS - Server A/V Agents - App | data | identity aware security, compliance Confidential VMware’s Security Vision for Secure Clouds Bring the benefits of Cloud Computing to the Enterprise, via Secure Hybrid Clouds Virtualize Security into Security VMs (SVMs), including partner offers Unify security into a programmable, trust zone/policy framework Encapsulate and standup secure vApps, VDCs on demand Secure the virtualization stack – Infrastructure, Apps, End Users “Disruptively Simplified” Security 6 Confidential First Priority is to Virtualize Security Infrastructure DMZ Web Servers Apps / DB Tier Users Sites 1. Virtualize and consolidate security functions into the hypervisor 2. Leads to a much simplified, agile architecture 7 Confidential Secure vApps simplify Cloud Deployments Secure vApp Users Sites Secure IaaS IaaS = It’s About Apps Stupid! 8 Confidential VMworld 2010 Launch VMware vShield Partners 9 Confidential 2010 – Introducing vShield Products Securing the Private Cloud End to End: from the Edge to the Endpoint vShield Edge vShield App vShield Endpoint Edge Security Zone Endpoint = VM Application protection from network based threats Enables offloaded anti-virus Secure the edge of the virtual datacenter Virtual Datacenter 2 Virtual Datacenter 1 DMZ PCI compliant HIPAA compliant VMware vShield VMware vShield Manager 10 Confidential Web View VMware vShield vShield Endpoint – Efficient Anti-Virus for Virtual Servers and Desktops SVM AV OS Features VM VM VM APP APP APP OS OS OS Kernel Kernel Kernel BIOS BIOS BIOS Introspection VMware vSphere • Offload guest A/V to Security VM (SVM) • File-scanning engines and virus definitions • On-demand and on-access scans • Security VM delivered by leading AV partners • Enforce remediation using driver in VM • Policy and configuration Management: through UI or REST APIs • Logging and auditing Benefits • Improve performance by offloading anti-virus functions in tandem with AV partners • Avoids AV storms (I/O spikes, cpumem utilization) • 90% reduction in guest footprint • Reduce risk by eliminating agents susceptible to attacks and enforced remediation • Satisfy audit requirements with detailed logging of AV tasks 11 Confidential vShield Edge - Secure the Edge of the Virtual Data Center Features VMware VMware VMware vShield Edge vShield Edge vShield Edge Tenant A Tenant C Tenant X • Multiple edge security services in one appliance • Stateful inspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPsec) • Web Load Balancer • Network isolation(edge port group isolation) • Detailed network flow statistics for chargebacks, etc • Policy management through UI or REST APIs • Logging and auditing based on syslog format Benefits Firewall 12 Load balancer VPN • Lower cost and complexity by eliminating multiple special purpose appliances • Ensure policy enforcement with network isolation • Scaleout architecture with one edge per org/tenant • Programmable interfaces enable automation • Rapid provisioning of edge security services • Simplify IT compliance with detailed logging Confidential vShield App - Application Protection for Network Based Threats Features • Hypervisor-level firewall • Inbound, outbound connection control applied at vNIC level • Elastic security groups - “stretch” as virtual machines migrate to new hosts • Robust flow monitoring • Policy Management • Simple and business-relevant policies • Managed through UI or REST APIs • Logging and auditing based on industry standard syslog format 13 Confidential vShield App enables Mixed Trust Zones! TODAY DMZ PCI PCICompliant Compliant “Air gap” With vShield App Mixed trust hosts with virtual isolation and segmentation 14 Confidential Leveraging vShield App for Better-than-Physical Security Key Benefits • Complete visibility and control to the inter VM traffic enabling mixed trust zones on same ESX cluster Better than Physical • Distributed virtual firewall with scaleout port density • Hypervisor level introspection provides access to inter-VM traffic • Intuitive trust zones leverage vCenter inventory; independence from physical network segmentation or re-configuration • Security policies follow the VMs • Built in firewall capabilities provide better than physical security at 1/3rd the cost 15 Confidential 3 Use Cases are Emerging… 1. App / Server protection in vSphere environments 2. Protection of View environments 3. Private and hybrid vCloud security 16 Confidential Use Case #1: Securing Business Critical Applications VMware vShield App DMZ Development Requirements Finance • Deploy production apps in a shared infrastructure with: • Traffic segmentation between applications • Improve consolidation ratios • Authorized access to applications by LOB • Monitor, secure inter-VM communications • Maintain security policies with vMotion • Comply with various audit requirements Development 17 Finance Confidential Securing vSphere with Physical Security Solutions Today PERIMETER SECURITY INTERIOR SECURITY WEB ZONE APPLICATION ZONE ENDPOINT SECURITY DATABASE ZONE Internet vSphere vSphere vSphere VIRTUALIZED DMZ WITH FIREWALLS • Air Gapped Pods with dedicated physical hardware • Mixed trust clusters without internal security segmentation • Configuration Complexity – VLAN sprawl – Firewall rules sprawl – Rigid network IP rules without resource context • Private clouds (?) Customers cannot realize true virtualization benefits due to security concerns 18 Confidential Use Case #1: Solution with vShield App Features 19 Hypervisor-level firewall - inbound, outbound connection control applied at vNIC level Elastic security groups - “stretch” as virtual machines migrate to new hosts Robust flow monitoring; logging and auditing based on industry standard syslog format Policy Management - simple and business-relevant policies Programmable - managed through UI or REST APIs, enabling script-based automation Confidential Use Case #2: Secure View Deployments Requirements VMware vShield App DMZ View Desktops Public Network Remote User 20 Virtual Servers Private Network • Support thousands of internal and external View users with: • Comprehensive security for View servers • Anti virus agents to protect client data and applications • Optimal performance and scalability • Protection between desktop VMs and internal servers Solution - vShield Endpoint+App+Edge Local User • Improve performance by offloading AV processing • Reduce costs by freeing up virtual machine resources and eliminating agents • Improve security by streamlining AV functions to a hardened security virtual machine(SVM) • Protect View application servers from threats • Demonstrate compliance and satisfy audit requirements with detailed logging of offloaded AV tasks Confidential Use Case #2 Solution: vShield Edge, App, and EndPoint SERVER FARM 21 Confidential Use Case #3: Service Provider - Multi-Tenant Hosting Service Requirements Vmware vCloud Director vShield Company A Company B Company C Edge • Host thousands of tenants in shared infrastructure with: • Traffic Isolation between the tenants • Protection, confidentiality of tenant apps and data • Integration with Active Directory • Compliance with various audit requirements NOTE: Private Cloud is a simplified version of the Service Provider Use Case Solution – vShield Edge, VMware Cloud Director VMware VPN Cisco VPN Juniper VPN Company A 22 Company B Company C • Guarantee full confidentiality and protection of tenant apps and data with built-in firewall and VPN • Use enterprise directory services for security policies • Accelerate compliance by logging all traffic information on per-tenant basis • Lower cost of security by 100+% by eliminating purpose built appliances and by increasing utilization and VM density Confidential vShield for vCloud Director Deploy Orgs, vDCs vCloud Director Secure the perimeter Organization Connect Remote vDCs Secure VPN Access vDC1 Scale out web servers - Load Balancer vApp Defense-in-depth for sensitive apps – vShield App Efficient endpoint protection – vShield Endpoint Security as a service Automated (scripts), RESTful API’s NAT, DHCP, Firewall Managed by IT 23 Confidential vDC2 Private & Partner vClouds = Secure Hybrid Cloud Computing Secure the VM i.e. Lockdown the virtual server Secure the vApp i.e. Protect your IP VDC Silver Secure the VDC VMware vCloud Datacenter Service i.e. Protect the logical perimeter Secure VPN Resource Pools Resource Pools Resource Pools Resource Pools Resource Pools Private Cloud 24 Resource Pools Public Cloud Confidential Vision: Disruptively Simplified Secure Private & Hybrid Clouds 1. Standup zoned vApps on vSphere 2. Standup secure View VMs on demand 3. Standup vApps in multi-tenant vCloud VDC 4. Standup Spring vApps on vCloud Endpoint App Spring Framework View VDC Edge Spring vApp Edge External vCloud Endpoint Endpoint App Finance vApp Endpoint Security Services Endpoint App Vmware vSphere vCloud VDC Edge Partner vCloud 25 Confidential Vision: Comprehensive Security across the VMware Stack End User Layer 3 Computing Policies Application Enterprise Apps Platforms Cloud Layer 1 Infrastructure Desktop VMs Web 2.0 Apps AppSec Data DataSec IaaS VI Sec Server VMs vSphere Compliance Layer 2 Edge Sec Security Management Cloud PaaS, SaaS Events EndPt Sec Trust Sec VMware & Partners 26 Confidential Management & Orchestration IdSec The Emerging Security Ecosystem… vCloud Director – Security Self-Service … vShield SDKEcosystem vShield – Security APIs vShield Manager … AV … DLP EndPoint EPSec FW 5 Security Services 4 vShield Manager 3 Security Engines 2 Security VMs 1 Virtual Infrastructure … IDS FW App VPN Edge NetSec vSphere & vCenter Physical Network 27 SEVERAL INTEGRATION POINTS Confidential Summary: Security Journey to the Cloud Internet WEB APP DB Tenant A Tenant B Service Provider WEB APP Tenant A Air Gapped Pods 28 Mixed Trust Zones Confidential Secure Hybrid Clouds Thank you Question & Answer Session 29 Confidential